![]() An administrator could erase a device's hard drive, install another operating system, and the memory would not be changed by the procure. The memory is independent of the operating system, which means that it remains even if the operating system is reinstalled or another system is installed. It is connected to the processor via the Serial Peripheral Interface (SPI). UEFI firmware is usually stored on the in an embedded flash memory chip on the computer's motherboard. The vulnerability CVE-2021-3971 can be exploited to disable SPI protections on Lenovo devices. Lenovo published the security advisory on April 18 and ESET its findings and details a day later. Lenovo confirmed the vulnerabilities in November 2021 and requested a postponing of the public disclosure date to April 2022. Security company ESET reported the vulnerabilities to Lenovo in October 2021. Analysis of the vulnerabilities in Lenovo notebooks A readme file is available for each firmware file, that provides instructions on installing the update on the device.Ĭustomers may also visit the main Lenovo support website to look up updates for their devices this way. The updates can be installed directly from the Windows operating system by running the downloaded executable file. The support page, that lists the vulnerabilities, lists the firmware versions that contain the security fixes. There, they need to select BIOS/UEFI to display the available firmware updates to download the update. Updated firmware drivers are provided by Lenovo customers need to click on the device's support link on the Lenovo website to open the driver website. Some devices are not affected by all three of the vulnerabilities, but most are affected by all three of the confirmed vulnerabilities. ![]() Devices that have reached end of servicing won't receive firmware updates. For others, it aims to deliver firmware updates on May 10, 2022. Lenovo released updated firmware versions for some of the affected products. The full list of affected devices is available on the Lenovo support website. The vulnerabilities affect several Lenovo device families, including Lenovo IdeaPad 3, Flex 3, 元40, Legion 5 and 7, Legion Y540, S14, S145, S540, Slim 7 and 9, V14 and V15, and Yoga Slim 7 devices. It appears that Lenovo did not deactivate these properly in production devices. This feature is only available on 20 models.Lenovo reveals on the website that several of its notebook devices are affected by three different vulnerabilities - CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972 - that could allow attackers with elevated privileges to execute arbitrary code or disable SPI flash protections during the operating system runtime.ĮSET, the security company that discovered the vulnerabilities and reported them to Lenovo, discovered that two of the vulnerabilities affect UEFI firmware drivers that were meant only for use in the manufacturing process. Accepted values are 2-7, where 2 is the fastest and 7 is the slowest. Values represent a few seconds each, where 0 is the fastest and 9 is the slowest.ĭetermines how quickly the fans accelerate or decelerate when it is time to change fan speeds. Only available in Discrete Graphics Mode (Hybrid Off).ĭetermines how often LegionFanControl should check the current temperature before deciding to change fan speed or not. Removes laptop control of the fans so they run at their factory maximum speeds. Some users may want to disable this behaviour if they use other tools to manage their Windows Power Plan switching events Will also switch corresponding Windows Power Plans if they existĬhoose whether switching the Legion Power Mode will also switch the corresponding Windows Power Plans if it exists.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |